Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Phishing Club: Unauthenticated SQL Injection in GetOrphaned Recipient Listing
CVE-2026-28226
Summary
A security issue exists in Phishing Club versions prior to 1.30.2 that allows an attacker to inject malicious SQL code, potentially accessing sensitive data or disrupting the system. This issue is fixed in version 1.30.2. Update to the latest version to protect your system.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| phishing.club | phishing_club | <= 1.30.2 | – |
Original title
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in...
Original description
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions into the `ORDER BY` clause. This issue was patched in v1.30.2 by validating the order-by column against an allowlist and clearing unknown mappings.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026